Brad Robbert, a former adjunct assistant rofessor of Theater at Tulane University, will go on trial August 3 in Orleans Parish Criminal District on 50 counts that he possessed child pornography and 1 count of possession with intent to distribute. According to his online biography, Robbert also served as operations director for the Tulane University Shakespeare Festival from 2001 to 2009.

The investigation and arrest of Robbert offers a good overview of contemporary digital investigations. Robbert first came to the attention of law enforcement after tips submitted to the National Center for Missing and Exploited Children (NCMEC) by Google and Tumblr. They reported that Robbert had uploaded known images of child pornography, in this case images of preteen boys engaged in sexual activity.

A “known image” is a term of art in the field of computer forensics. It refers to images that depict specific victims who have been identified during a court proceeding. Those images are stored in a vast database maintained by NCMEC, along with a “hash value” that serves as a unique identifier for each image. (A hash value is created by taking each bit of a computer file and processing them through an algorithm that produces a lengthy alpha-numeric string. The odds of any two files having the same hash value are vanishingly small.)

Increasingly, online services maintain databases of the hash values of the known images stored by NCMEC, and they compare the hash values of uploaded photos against the hash values on file. If there is a match, as there was in this case, then an online service provider (such as Google) or an Internet service provider (such as Time Warner or NetZero) submits a tip to NCMEC, which passes it on to the appropriate law enforcement agency.

There is no real challenge to identifying the agency with appropriate jurisdiction. An online service provider knows the IP address of the person using its services, and can pass that along as part of the child porn tip. Investigators can look up the IP address, map it to an Internet service provider, and then subpoena the name and physical address of the subscriber who was using the IP address at the date and time in question. Once they have that information, law enforcement generally has a sufficient factual basis to request a search warrant.

The execution of the search warrant in this case was a little unusual. Police showed up at Robbert’s home at 7 a.m. on October 15, 2014, but he refused to let them in for 2½ hours. Eventually, when police gained access to the house, they discovered a plastic box with cocaine residue and another box with a large number of small plastic bags. Police tried to charge Robbert with possession of cocaine with intent to distribute, arguing that he barricaded the door to give himself time to flush a large amount of cocaine. Robbert’s attorney, however, successfully had that charge dismissed.

With a total potential sentence of 255 years for possession of child pornography, the cocaine charge is largely superfluous. During the search of Robbert’s house, police conducted a “preview” of his laptop and three hard drives. Using the same type of hash database used by online service providers, that preview identified the 51 known images that form the basis of the charges against Robbert. When the computers were subjected to a complete forensics review at a Homeland Security computer lab, investigators located over 1,000 images of child pornography.

David Ferris, section chief of the state’s Cyber Crime Unit, told the court that after Robbert was read his <i>Miranda</i> rights, he confessed to having child porn on his laptop:

<blockquote>He admitted he would have child pornography on his computer, and that he had been looking at it for quite some time. Some of the images were of children as young as 5. But I believe he said his preferred age to download was between 12 and 15.</blockquote>